[ Fig 1 - Mail about some parcel not being delivered ]
A closer look at the mail reveals some interesting aspects of the spammer. Firstly there are no obvious spam symptoms and the sender also looks legit. Then the body is also well structured making it look authentic. So, I went ahead (knowing I had a Symantec AV installed & updated) and extracted the contents of the attachment to a folder. To my surprise, it did extract without any warnings.
As a person who eats malware for breakfast and lunch, I have one good habit of un-checking the "Hide extensions for known file Types" option in windows explorer (Tools >> Folder Options >> View) on all systems that I work with. Some how I never understood why this option is there in the first place and that too checked by default for WinXP installations. Anyways, to make matters worse Windows explorer conveniently prevents the full name from showing up (since its a long name) making it look like a nice excell file to open. By now, I am sure any innocent user would have fallen prey to the sender and executed this file.
After selecting the file, the full name shows up - "UPS_DOC_986001.exe". Gotcha ! Now, since when did invoice copies start getting distributed in the form of executables ?! A quick virustotal scan identifies the Trojan as Win32/Bredolab [symantec]. Even as I uploaded the file to virustotal, my symantec AV didn't raise any alarms which is a bit unusual since its the first one to jump on any file I attempt to view. Bredolab is a downloader type of trojan which has been discovered recently. Some of the variants of this type of Postal mails are known to download Fake AV programs and other malicious files.
Such method of distributing malware is not new. Some older versions referring to "Western Union" instead of UPS have been circulating for some time now indicating that this mail could also be from the same malware authors. So, be careful with attachments when you receive mails from unexpected or unknown sources and don't forget to change the windows explorer file extension settings!
Good blog ....
ReplyDelete